Maker community scrambles to fix long-standing vulnerability to flash loans


The MakerDAO (MKR) community is urgently implementing measures to prevent voting manipulation through flash loans. This was precipitated by what is likely the first instance of the feature being used to influence a DeFi governance vote on Oct. 26.

According to a post published by community member LongForWisdom, someone used a flash loan to force a governance proposal through. BProtocol, a service that lets users pool liquidity to join in Maker debt auctions, came forward as the culprit.

The proposal would have whitelisted the project to access Maker’s price oracle, making it possibl to run decentralized keepers.

BProtocol used dYdX’s flash loan feature — an unbacked loan that is only granted if it is also returned within the same block. This requirement means that its users must have a predefined path for the money they borrow, and it is only useful for operations that can be completed instantly.

Maker community member Monetsupply explained to Cointelegraph that the governance contracts did not feature any lock-up period:

“Current MKR gov system allows voters to lock their tokens, immediately vote to pass a proposal, and then unlock the tokens all in the same block.”

Using flash loans to engage in governance can be seen as manipulative because the money is essentially free. Anyone could use them to execute their own proposals without being a Maker stakeholder.

The governance power is limited to how much MKR is contained in various DeFi protocols. In this specific case, MKR was sourced from Aave, but up to 64,000 MKR worth $34 million is available for flash loans. This is enough to influence at least some of the future governance proposals.

Due to this, the community is engaging emergency containment measures to make exploitation harder as they wait for a more definitive fix. A twelve hour delay between proposals passing and being executed — introduced to allow for the community to challenge malicious votes — will be extended to 72 hours.

Furthermore, the community is disabling circuit breakers that would allow governance to turn off oracles and liquidations, as they could be potentially abused by malicious actors to exploit the system for money.

The case that set off the alarms was relatively minor, with the founder of BProtocol saying that “we meant no harm, and no harm was made.” He further suggested that this was “aimed to trigger an internal technical discussion,” and that he did not expect such a dramatic community response.

A proposal to fix the underlying issue was being discussed for at least three weeks, but “this incident made it much more urgent,” Monetsupply said.

A relatively simple solution involves measuring a user’s voting power from the tokens locked in the preceding block, thwarting any flash loan-based attack. This fix is expected to be added soon by the Maker Foundation, though no concrete deadlines were announced yet.

Some in the community see this incident as a good thing, as it was a long-standing issue that “should have been fixed before,” said forum member TheoRochaix. As no harm seems to have been done, it is a much less expensive lesson than the Black Thursday auction failure.